Thursday, 16 Nov, 2017 iptables Today I'm going to write about the (in)famous iptables, the be-all do-all of GNU/linux packet filtering de-facto standard. Iptables is recognized to stand as one of the most used and most powerful firewall solutions around the web. Here I'll just share some really basic rules applied to one of my little boxes: #!/bin/bash IPTABLES=/sbin/iptables modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe iptable_nat modprobe iptable_mangle modprobe ip_conntrack_ftp modprobe ipt_LOG modprobe ipt_state modprobe ipt_limit modprobe ipt_REJECT #resets everything, purge fifo $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT #allow all traffic between the loopback device and the virtual (ie. VPN) devices $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i tun+ -j ACCEPT #input traffic... #ESTABLISHED & RELATED traffic $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #DNS, Accept DNS Server responses $IPTABLES -A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #answer pings $IPTABLES -A INPUT -p icmp -j ACCEPT #Allow HTTP traffic to 80 (default) $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Allow 8080 web on both eth0 $IPTABLES -A INPUT -i eth0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Allow MySQL $IPTABLES -A INPUT -i eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Allow proftpd $IPTABLES -A INPUT -i eth0 -p tcp --dport 2056 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #proftpd active ftp - Unused for now... #$IPTABLES -A INPUT -i eth0 -p tcp --dport 49152:65534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #log input traffic w/"IN-DROP"-keyword so you kno wtf is goin' on. $IPTABLES -A INPUT -j LOG --log-prefix IN-DROP #alternative: drop INPUT traffic (ie. w/o logging to save resources). - Disabled for now... #$IPTABLES -A INPUT -j DROP # What to do with FORWARDED Traffic? # Drop for now... $IPTABLES -A FORWARD -j DROP #LOG Forwarded Traffic ? #Disabled for now... #$IPTABLES -A FORWARD -j LOG --log-prefix FW-DROP The above rules have been designed for a router+firewall+vpn+web-server+ftp-server in mind. The rules have also been commented and should be self-explanatory 'though feel free to ask for more info. 2.6/5 - (49 votes) Andrea MatesiSenior Professional Network and Computer Systems Engineer during work hours and father when home. Andrea strives to deliver outstanding customer service and heaps of love towards his family. In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format. Share this:LinkedIn Related